Skip to content

nvme: add --compat flag for 'gen-tls-key' and 'check-tls-key' #2896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
igaw merged 2 commits into from
Sep 4, 2025
Merged

nvme: add --compat flag for 'gen-tls-key' and 'check-tls-key' #2896

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ede8fff
libnvme.wrap: update to latest version
hreinecke Sep 4, 2025
1a1c09c
nvme: add --compat flag for 'gen-tls-key' and 'check-tls-key'
hreinecke Aug 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions Documentation/nvme-check-tls-key.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ SYNOPSIS
[--output-format=<fmt> | -o <fmt>]
[--identity=<id-vers> | -I <id-vers>]
[--insert | -i ]
[--compat | -C ]
[--keyfile=<keyfile> | -f <keyfile>]
[--verbose | -v]

Expand Down Expand Up @@ -62,6 +63,11 @@ OPTIONS
--insert:
Insert the derived 'retained' key in the keyring.

-C:
--compat:
Use the original algorithm when deriving TLS keys for
compatibility with older implentations.
Comment thread
hreinecke marked this conversation as resolved.

-f <keyfile>
--keyfile=<keyfile>
Append the resulting TLS key to keyfile. This command line option is
Expand Down
9 changes: 8 additions & 1 deletion Documentation/nvme-gen-tls-key.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ SYNOPSIS
[--identity=<id-vers> | -I <id-vers>]
[--secret=<secret> | -s <secret>]
[--insert | -i]
[--compat | -C]
[--keyfile=<keyfile> | -f <keyfile>]
[--output-format=<fmt> | -o <fmt>] [--verbose | -v]

Expand All @@ -27,7 +28,8 @@ The resulting key is either printed in the PSK interchange format
'retained' key into the specified keyring if the '--insert' option
is given.
When the PSK should be inserted into the keyring a 'retained' key
is derived from the secret key material. The resulting 'retained'
is derived from the secret key material using the HKDF-Expand-Label
algorithm from RFC 8446. The resulting 'retained'
key is stored with the identity
'NVMe0R0<hmac> <host NQN> <subsystem NQN>'
(for identity version '0') or
Expand Down Expand Up @@ -82,6 +84,11 @@ OPTIONS
Insert the resulting TLS key into the keyring without printing out
the key in PSK interchange format.

-C:
--compat:
Use the original non-RFC 8446 compliant algorithm when
deriving TLS keys for compatibility with older implentations.

-f <keyfile>
--keyfile=<keyfile>
Append the resulting TLS key to keyfile. This command line option is
Expand Down
35 changes: 30 additions & 5 deletions nvme.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9757,6 +9757,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
const char *keytype = "Key type of the retained key.";
const char *insert = "Insert retained key into the keyring.";
const char *keyfile = "Update key file with the derive TLS PSK.";
const char *compat = "Use compatibility algorithm for HKDF-Expand-Label.";

_cleanup_free_ unsigned char *raw_secret = NULL;
_cleanup_free_ char *encoded_key = NULL;
Expand All @@ -9775,6 +9776,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
unsigned char hmac;
unsigned char version;
bool insert;
bool compat;
};

struct config cfg = {
Expand All @@ -9787,6 +9789,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
.hmac = 1,
.version = 0,
.insert = false,
.compat = false,
};

NVME_ARGS(opts,
Expand All @@ -9798,7 +9801,8 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
OPT_STR("keyfile", 'f', &cfg.keyfile, keyfile),
OPT_BYTE("hmac", 'm', &cfg.hmac, hmac),
OPT_BYTE("identity", 'I', &cfg.version, version),
OPT_FLAG("insert", 'i', &cfg.insert, insert));
OPT_FLAG("insert", 'i', &cfg.insert, insert),
OPT_FLAG("compat", 'C', &cfg.compat, compat));

err = parse_args(argc, argv, desc, opts);
if (err)
Expand Down Expand Up @@ -9859,7 +9863,13 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
printf("%s\n", encoded_key);

if (cfg.insert) {
tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
if (cfg.compat)
tls_key = nvme_insert_tls_key_compat(cfg.keyring,
cfg.keytype, cfg.hostnqn,
cfg.subsysnqn, cfg.version,
cfg.hmac, raw_secret, key_len);
else
tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
cfg.keytype, cfg.hostnqn,
cfg.subsysnqn, cfg.version,
cfg.hmac, raw_secret, key_len);
Expand Down Expand Up @@ -9891,6 +9901,7 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
const char *keytype = "Key type of the retained key.";
const char *insert = "Insert retained key into the keyring.";
const char *keyfile = "Update key file with the derive TLS PSK.";
const char *compat = "Use compatibility algorithm for HKDF-Expand-Label.";

_cleanup_free_ unsigned char *decoded_key = NULL;
_cleanup_free_ char *hnqn = NULL;
Expand All @@ -9906,6 +9917,7 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
char *keyfile;
unsigned char identity;
bool insert;
bool compat;
};

struct config cfg = {
Expand All @@ -9917,6 +9929,7 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
.keyfile = NULL,
.identity = 0,
.insert = false,
.compat = false,
};

NVME_ARGS(opts,
Expand All @@ -9927,7 +9940,8 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
OPT_STR("keydata", 'd', &cfg.keydata, keydata),
OPT_STR("keyfile", 'f', &cfg.keyfile, keyfile),
OPT_BYTE("identity", 'I', &cfg.identity, identity),
OPT_FLAG("insert", 'i', &cfg.insert, insert));
OPT_FLAG("insert", 'i', &cfg.insert, insert),
OPT_FLAG("compat", 'C', &cfg.compat, compat));

err = parse_args(argc, argv, desc, opts);
if (err)
Expand Down Expand Up @@ -9963,7 +9977,13 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
}

if (cfg.insert) {
tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
if (cfg.compat)
tls_key = nvme_insert_tls_key_compat(cfg.keyring,
cfg.keytype, cfg.hostnqn,
cfg.subsysnqn, cfg.identity,
hmac, decoded_key, decoded_len);
else
tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
cfg.keytype, cfg.hostnqn,
cfg.subsysnqn, cfg.identity,
hmac, decoded_key, decoded_len);
Expand All @@ -9981,7 +10001,12 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
} else {
_cleanup_free_ char *tls_id = NULL;

tls_id = nvme_generate_tls_key_identity(cfg.hostnqn,
if (cfg.compat)
tls_id = nvme_generate_tls_key_identity_compat(cfg.hostnqn,
cfg.subsysnqn, cfg.identity,
hmac, decoded_key, decoded_len);
else
tls_id = nvme_generate_tls_key_identity(cfg.hostnqn,
cfg.subsysnqn, cfg.identity,
hmac, decoded_key, decoded_len);
if (!tls_id) {
Expand Down
2 changes: 1 addition & 1 deletion subprojects/libnvme.wrap
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[wrap-git]
url = https://github.com/linux-nvme/libnvme.git
revision = fde6b1f51646f7f0b4a12f61f08e2bb621f01903
revision = c2a699342fb45cbac99a8f400695bd74f8782342

[provide]
libnvme = libnvme_dep
Expand Down